Understand how SPF, DKIM, and DMARC work together to stop email spoofing and protect your domain’s reputation.
Email Authentication — SPF, DKIM, and DMARC
SPF, DKIM, and DMARC are three DNS-based email authentication standards that work together to prevent email spoofing and protect your domain from being used to send phishing emails.
How Email Spoofing Works (Without Authentication)
The Three Standards Explained
✓ Key Point
SPF + DKIM + DMARC p=reject is the gold standard. SPF and DKIM alone are not enough — DMARC is what actually tells receiving servers what to do when authentication fails. Without DMARC, a failing SPF check may still deliver the email. Start with
p=none (monitoring only), analyse the reports, then move to p=quarantine, then p=reject.DMARC Deployment Stages
| Stage | DMARC Policy | Effect |
|---|---|---|
| 1 — Monitor | p=none | No blocking — just receive reports on who is sending as your domain |
| 2 — Quarantine | p=quarantine | Failed emails go to spam/junk |
| 3 — Enforce | p=reject | Failed emails are blocked entirely — your domain cannot be spoofed |
⛔ Important
Many organisations set up SPF and DKIM but leave DMARC at
p=none permanently. This provides visibility but no protection. A spoofed email claiming to be from your domain still reaches the recipient. Complete the deployment by moving to p=reject once you have verified all legitimate sending sources pass authentication.Checking Your Domain’s Email Authentication
You can verify your domain’s SPF, DKIM, and DMARC records using free tools like:
- MXToolbox (mxtoolbox.com) — check all three records
- DMARC Analyser — review DMARC aggregate reports
- Google Admin Toolbox — check deliverability
When checking a received email, look at the email headers for
Authentication-Results: — this shows whether SPF, DKIM, and DMARC passed or failed.Could a scammer send email as your domain right now?
If your DMARC policy is missing or stuck on p=none, anyone can spoof your domain to scam your customers and suppliers — and your legitimate email may be landing in junk folders too. Mobile Techs IT Service helps Gold Coast businesses get email authentication right: SPF, DKIM, and DMARC configured correctly for every sending service, DMARC reports monitored, and a safe staged move to p=reject that protects your brand without breaking your mail flow. Home users welcome too — on-site or remote, anywhere in Australia.
Get your domain records checked → or call 1300 644 588


